Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент PoetRAT
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
PoetRAT
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

PoetRAT

PoetRAT is a remote access trojan (RAT) that was first identified in April 2020. PoetRAT has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. PoetRAT derived its name from references in the code to poet William Shakespeare. (Citation: Talos PoetRAT April 2020)(Citation: Talos PoetRAT October 2020)(Citation: Dragos Threat Report 2020)
ID: S0428
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 27 Apr 2020
Last Modified: 19 Apr 2022

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

PoetRAT has used HTTP and HTTPs for C2 communications.(Citation: Talos PoetRAT October 2020)
.002 Application Layer Protocol: File Transfer Protocols

PoetRAT has used FTP for C2 communications.(Citation: Talos PoetRAT October 2020)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

PoetRAT has the ability to compress files with zip.(Citation: Talos PoetRAT April 2020)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

PoetRAT has added a registry key in the hive for persistence.(Citation: Talos PoetRAT April 2020)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

PoetRAT has called cmd through a Word document macro.(Citation: Talos PoetRAT October 2020)
.005 Command and Scripting Interpreter: Visual Basic

PoetRAT has used Word documents with VBScripts to execute malicious activities.(Citation: Talos PoetRAT April 2020)(Citation: Talos PoetRAT October 2020)

.006 Command and Scripting Interpreter: Python

PoetRAT was executed with a Python script and worked in conjunction with additional Python-based post-exploitation tools.(Citation: Talos PoetRAT April 2020)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

PoetRAT has used a Python tool named Browdec.exe to steal browser credentials.(Citation: Talos PoetRAT April 2020)
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

PoetRAT used TLS to encrypt command and control (C2) communications.(Citation: Talos PoetRAT April 2020)
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

PoetRAT has used ftp for exfiltration.(Citation: Talos PoetRAT April 2020)
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

PoetRAT has the ability to hide and unhide files.(Citation: Talos PoetRAT April 2020)
Enterprise T1070 .004 Indicator Removal: File Deletion

PoetRAT has the ability to overwrite scripts and delete itself if a sandbox environment is detected.(Citation: Talos PoetRAT April 2020)
Enterprise T1056 .001 Input Capture: Keylogging

PoetRAT has used a Python tool named klog.exe for keylogging.(Citation: Talos PoetRAT April 2020)
Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

PoetRAT was delivered with documents using DDE to execute malicious code.(Citation: Talos PoetRAT April 2020)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

PoetRAT used voStro.exe, a compiled pypykatz (Python version of Mimikatz), to steal credentials.(Citation: Talos PoetRAT April 2020)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

PoetRAT was distributed via malicious Word documents.(Citation: Talos PoetRAT April 2020)
Enterprise T1204 .002 User Execution: Malicious File

PoetRAT has used spearphishing attachments to infect victims.(Citation: Talos PoetRAT April 2020)
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

PoetRAT checked the size of the hard drive to determine if it was being run in a sandbox environment. In the event of sandbox detection, it would delete itself by overwriting the malware scripts with the contents of "License.txt" and exiting.(Citation: Talos PoetRAT April 2020)

References

  1. Dragos. (n.d.). ICS Cybersecurity Year in Review 2020. Retrieved February 25, 2021.
  2. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  3. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.